|
|
| Line 1: |
Line 1: |
|
| |
|
| Name of API: Network Information API Sec
| |
| Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=677166
| |
| https://wiki.mozilla.org/WebAPI/NetworkAPI
| |
|
| |
| Brief purpose of API:
| |
| General Use Cases:
| |
| Read current bandwidth estimate or ask if connection is metered
| |
|
| |
| Listen for connection change events
| |
|
| |
| Inherent threats: Privacy (de-anonymize users based on connection change
| |
| events?)
| |
|
| |
| Threat severity:Low
| |
|
| |
| == Regular web content (unauthenticated) ==
| |
| Use cases for unauthenticated code: Read current bandwidth estimate or
| |
| ask if connection is metered
| |
| Authorization model for normal content: Read current bandwidth estimate
| |
| or ask if connection is metered
| |
| Authorization model for installed content:
| |
| Potential mitigations: Maybe fuzz the exact time of the network change
| |
| event in a similar manner to idle API.
| |
|
| |
| == Trusted (authenticated by publisher) ==
| |
| Use cases for authenticated code:As above
| |
| Use cases for trusted code:
| |
| Potential mitigations:
| |
|
| |
| == Certified (vouched for by trusted 3rd party) ==
| |
| Use cases for certified code: As above
| |
| Authorization model:
| |
| Potential mitigations:
| |